Trustico: Difference between revisions
Appearance
Content deleted Content added
m Wikilink private keys |
m Wikilink root |
||
Line 20: | Line 20: | ||
It became notable in March 2018, after its CEO transferred the [[private key]]s for 23,000 [[HTTPS]] certificates via [[email]] (not a secure protocol) to an executive at [[DigiCert]].<ref name="ars23k">{{cite web|url=https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/|title=23,000 HTTPS certificates axed after CEO emails private keys|publisher=}}</ref><ref>{{cite web|url=http://www.zdnet.com/article/trustico-compromises-own-customers-https-private-keys-in-spat-with-partner/|title=Trustico compromises own customers' HTTPS private keys in spat with partner|first=Zack|last=Whittaker|publisher=}}</ref><ref>{{cite web|url=https://www.securityweek.com/23000-digital-certificates-revoked-digicert-trustico-spat|title=23,000 Digital Certificates Revoked in DigiCert-Trustico Spat - SecurityWeek.Com|website=www.securityweek.com}}</ref><ref name="reg23k">{{cite web|url=https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/|title=23,000 HTTPS certs will be axed in next 24 hours after private keys leak|publisher=}}</ref><ref>{{cite web|url=https://news.ycombinator.com/item?id=16492284|title=How not to run a CA - Hacker News|website=news.ycombinator.com}}</ref> The fact that these private keys had been stored by Trustico suggested that Trustico had been violating the baseline requirements for certificate authorities.<ref name="ars23k"/> |
It became notable in March 2018, after its CEO transferred the [[private key]]s for 23,000 [[HTTPS]] certificates via [[email]] (not a secure protocol) to an executive at [[DigiCert]].<ref name="ars23k">{{cite web|url=https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/|title=23,000 HTTPS certificates axed after CEO emails private keys|publisher=}}</ref><ref>{{cite web|url=http://www.zdnet.com/article/trustico-compromises-own-customers-https-private-keys-in-spat-with-partner/|title=Trustico compromises own customers' HTTPS private keys in spat with partner|first=Zack|last=Whittaker|publisher=}}</ref><ref>{{cite web|url=https://www.securityweek.com/23000-digital-certificates-revoked-digicert-trustico-spat|title=23,000 Digital Certificates Revoked in DigiCert-Trustico Spat - SecurityWeek.Com|website=www.securityweek.com}}</ref><ref name="reg23k">{{cite web|url=https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/|title=23,000 HTTPS certs will be axed in next 24 hours after private keys leak|publisher=}}</ref><ref>{{cite web|url=https://news.ycombinator.com/item?id=16492284|title=How not to run a CA - Hacker News|website=news.ycombinator.com}}</ref> The fact that these private keys had been stored by Trustico suggested that Trustico had been violating the baseline requirements for certificate authorities.<ref name="ars23k"/> |
||
This was followed by the disclosure of a critical security flaw - a publicly-accessible root shell - in the Trustico website, after which the website was taken offline.<ref>{{cite web|url=https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/|title=Trustico website goes dark after someone drops critical flaw on Twitter|publisher=}}</ref><ref>{{cite web|url=https://www.theregister.co.uk/2018/03/01/trustico_website_offline/|title=HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed|publisher=}}</ref> |
This was followed by the disclosure of a critical security flaw - a publicly-accessible [[superuser|root]] shell - in the Trustico website, after which the website was taken offline.<ref>{{cite web|url=https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/|title=Trustico website goes dark after someone drops critical flaw on Twitter|publisher=}}</ref><ref>{{cite web|url=https://www.theregister.co.uk/2018/03/01/trustico_website_offline/|title=HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed|publisher=}}</ref> |
||
== See also == |
== See also == |
Revision as of 03:34, 2 March 2018
Company type | Private company |
---|---|
Industry | Internet security, Public key infrastructure |
Headquarters | , |
Trustico is a certificate authority.
It became notable in March 2018, after its CEO transferred the private keys for 23,000 HTTPS certificates via email (not a secure protocol) to an executive at DigiCert.[2][3][4][1][5] The fact that these private keys had been stored by Trustico suggested that Trustico had been violating the baseline requirements for certificate authorities.[2]
This was followed by the disclosure of a critical security flaw - a publicly-accessible root shell - in the Trustico website, after which the website was taken offline.[6][7]
See also
References
- ^ a b c "23,000 HTTPS certs will be axed in next 24 hours after private keys leak".
- ^ a b "23,000 HTTPS certificates axed after CEO emails private keys".
- ^ Whittaker, Zack. "Trustico compromises own customers' HTTPS private keys in spat with partner".
- ^ "23,000 Digital Certificates Revoked in DigiCert-Trustico Spat - SecurityWeek.Com". www.securityweek.com.
- ^ "How not to run a CA - Hacker News". news.ycombinator.com.
- ^ "Trustico website goes dark after someone drops critical flaw on Twitter".
- ^ "HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed".